Analysis
-
max time kernel
168s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
14-01-2024 01:57
Static task
static1
Behavioral task
behavioral1
Sample
59fa728668cadc67f6c031e08cf7d203.exe
Resource
win7-20231215-en
General
-
Target
59fa728668cadc67f6c031e08cf7d203.exe
-
Size
193KB
-
MD5
59fa728668cadc67f6c031e08cf7d203
-
SHA1
6fe6f0f77504d02560e2ce3cea79e01dc8dc1c8e
-
SHA256
679a4974ab63899ed62e52788c391369675a904adc969c93d4ec274dada141d2
-
SHA512
9e273dc3707de2a13e58d78bb6f5694493886f88ffc1a5893fd7290be509be56439cd8d31c247d7bf72ad9a2f650af4dca84d5eaf175687572b347a3e967318b
-
SSDEEP
3072:pR2xn3k0CdM1vabyzJYWqSSpbaxhptgiHaKruj3A3dS5DFZSHZFD:pR2J0LS6VTI/fjaHQ31V
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4888 59fa728668cadc67f6c031e08cf7d203mgr.exe 644 WaterMark.exe 1620 WaterMarkmgr.exe 700 WaterMark.exe -
resource yara_rule behavioral2/memory/4888-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4888-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4888-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4888-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4888-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4888-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4888-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1832-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1620-35-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1620-47-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/644-49-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/700-52-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/700-60-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/700-63-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/644-69-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/644-70-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/644-74-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/700-75-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/700-76-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/644-77-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\WaterMark.exe 59fa728668cadc67f6c031e08cf7d203.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 59fa728668cadc67f6c031e08cf7d203.exe File opened for modification C:\Program Files (x86)\Microsoft\pxE86C.tmp 59fa728668cadc67f6c031e08cf7d203mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\pxE85C.tmp 59fa728668cadc67f6c031e08cf7d203.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 59fa728668cadc67f6c031e08cf7d203mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxE9C4.tmp WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 380 1120 WerFault.exe 94 4928 4632 WerFault.exe 93 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5C5F5721-B280-11EE-9A4E-DE9D3A49EF0E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "828627679" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "828627679" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "830190935" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31082125" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "858471794" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31082125" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31082125" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "858628038" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5C4C4A18-B280-11EE-9A4E-DE9D3A49EF0E} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "870346929" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31082125" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "828315765" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31082125" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411962465" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31082125" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31082125" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31082125" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31082125" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "832222548" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31082125" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31082125" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "858471794" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5C5F7E31-B280-11EE-9A4E-DE9D3A49EF0E} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31082125" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "832222548" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 644 WaterMark.exe 644 WaterMark.exe 644 WaterMark.exe 644 WaterMark.exe 700 WaterMark.exe 700 WaterMark.exe 700 WaterMark.exe 700 WaterMark.exe 700 WaterMark.exe 700 WaterMark.exe 644 WaterMark.exe 644 WaterMark.exe 700 WaterMark.exe 700 WaterMark.exe 644 WaterMark.exe 644 WaterMark.exe 700 WaterMark.exe 700 WaterMark.exe 644 WaterMark.exe 644 WaterMark.exe 644 WaterMark.exe 644 WaterMark.exe 644 WaterMark.exe 644 WaterMark.exe 644 WaterMark.exe 644 WaterMark.exe 700 WaterMark.exe 700 WaterMark.exe 700 WaterMark.exe 700 WaterMark.exe 700 WaterMark.exe 700 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 644 WaterMark.exe Token: SeDebugPrivilege 700 WaterMark.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3372 iexplore.exe 2212 iexplore.exe 2800 iexplore.exe 3096 iexplore.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 2212 iexplore.exe 2212 iexplore.exe 3096 iexplore.exe 3096 iexplore.exe 3372 iexplore.exe 3372 iexplore.exe 2800 iexplore.exe 2800 iexplore.exe 3688 IEXPLORE.EXE 3688 IEXPLORE.EXE 688 IEXPLORE.EXE 688 IEXPLORE.EXE 2316 IEXPLORE.EXE 2316 IEXPLORE.EXE 4576 IEXPLORE.EXE 4576 IEXPLORE.EXE 688 IEXPLORE.EXE 688 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 5 IoCs
pid Process 4888 59fa728668cadc67f6c031e08cf7d203mgr.exe 1832 59fa728668cadc67f6c031e08cf7d203.exe 644 WaterMark.exe 1620 WaterMarkmgr.exe 700 WaterMark.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 1832 wrote to memory of 4888 1832 59fa728668cadc67f6c031e08cf7d203.exe 88 PID 1832 wrote to memory of 4888 1832 59fa728668cadc67f6c031e08cf7d203.exe 88 PID 1832 wrote to memory of 4888 1832 59fa728668cadc67f6c031e08cf7d203.exe 88 PID 1832 wrote to memory of 644 1832 59fa728668cadc67f6c031e08cf7d203.exe 91 PID 1832 wrote to memory of 644 1832 59fa728668cadc67f6c031e08cf7d203.exe 91 PID 1832 wrote to memory of 644 1832 59fa728668cadc67f6c031e08cf7d203.exe 91 PID 644 wrote to memory of 1620 644 WaterMark.exe 90 PID 644 wrote to memory of 1620 644 WaterMark.exe 90 PID 644 wrote to memory of 1620 644 WaterMark.exe 90 PID 1620 wrote to memory of 700 1620 WaterMarkmgr.exe 92 PID 1620 wrote to memory of 700 1620 WaterMarkmgr.exe 92 PID 1620 wrote to memory of 700 1620 WaterMarkmgr.exe 92 PID 644 wrote to memory of 1120 644 WaterMark.exe 94 PID 644 wrote to memory of 1120 644 WaterMark.exe 94 PID 644 wrote to memory of 1120 644 WaterMark.exe 94 PID 700 wrote to memory of 4632 700 WaterMark.exe 93 PID 700 wrote to memory of 4632 700 WaterMark.exe 93 PID 700 wrote to memory of 4632 700 WaterMark.exe 93 PID 644 wrote to memory of 1120 644 WaterMark.exe 94 PID 644 wrote to memory of 1120 644 WaterMark.exe 94 PID 644 wrote to memory of 1120 644 WaterMark.exe 94 PID 644 wrote to memory of 1120 644 WaterMark.exe 94 PID 644 wrote to memory of 1120 644 WaterMark.exe 94 PID 644 wrote to memory of 1120 644 WaterMark.exe 94 PID 700 wrote to memory of 4632 700 WaterMark.exe 93 PID 700 wrote to memory of 4632 700 WaterMark.exe 93 PID 700 wrote to memory of 4632 700 WaterMark.exe 93 PID 700 wrote to memory of 4632 700 WaterMark.exe 93 PID 700 wrote to memory of 4632 700 WaterMark.exe 93 PID 700 wrote to memory of 4632 700 WaterMark.exe 93 PID 700 wrote to memory of 3372 700 WaterMark.exe 104 PID 700 wrote to memory of 3372 700 WaterMark.exe 104 PID 644 wrote to memory of 3096 644 WaterMark.exe 105 PID 644 wrote to memory of 3096 644 WaterMark.exe 105 PID 644 wrote to memory of 2800 644 WaterMark.exe 106 PID 644 wrote to memory of 2800 644 WaterMark.exe 106 PID 700 wrote to memory of 2212 700 WaterMark.exe 107 PID 700 wrote to memory of 2212 700 WaterMark.exe 107 PID 2212 wrote to memory of 688 2212 iexplore.exe 108 PID 2212 wrote to memory of 688 2212 iexplore.exe 108 PID 2212 wrote to memory of 688 2212 iexplore.exe 108 PID 3096 wrote to memory of 3688 3096 iexplore.exe 109 PID 3096 wrote to memory of 3688 3096 iexplore.exe 109 PID 3096 wrote to memory of 3688 3096 iexplore.exe 109 PID 3372 wrote to memory of 4576 3372 iexplore.exe 110 PID 3372 wrote to memory of 4576 3372 iexplore.exe 110 PID 3372 wrote to memory of 4576 3372 iexplore.exe 110 PID 2800 wrote to memory of 2316 2800 iexplore.exe 111 PID 2800 wrote to memory of 2316 2800 iexplore.exe 111 PID 2800 wrote to memory of 2316 2800 iexplore.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\59fa728668cadc67f6c031e08cf7d203.exe"C:\Users\Admin\AppData\Local\Temp\59fa728668cadc67f6c031e08cf7d203.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\59fa728668cadc67f6c031e08cf7d203mgr.exeC:\Users\Admin\AppData\Local\Temp\59fa728668cadc67f6c031e08cf7d203mgr.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:4888
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 2124⤵
- Program crash
PID:380
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3096 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3688
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2316
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:4632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 2044⤵
- Program crash
PID:4928
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3372 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4576
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:688
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1120 -ip 11201⤵PID:4372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4632 -ip 46321⤵PID:3656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
193KB
MD559fa728668cadc67f6c031e08cf7d203
SHA16fe6f0f77504d02560e2ce3cea79e01dc8dc1c8e
SHA256679a4974ab63899ed62e52788c391369675a904adc969c93d4ec274dada141d2
SHA5129e273dc3707de2a13e58d78bb6f5694493886f88ffc1a5893fd7290be509be56439cd8d31c247d7bf72ad9a2f650af4dca84d5eaf175687572b347a3e967318b
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5C4C4A18-B280-11EE-9A4E-DE9D3A49EF0E}.dat
Filesize3KB
MD54591b1d2acdd6a8c1d9e4ff1a14a1d7e
SHA16d89dfc62cd877bea0c834d64e2285ecfe166151
SHA256aeecb72bf842ca0d55b1a3f7e621e13703a5d0f5dc774623c662cb2c551e77b9
SHA5125d2439550bdb917959c36cc5f9fa0319eadacc7b7f86a3784ee7683eaca41832917c7c48385df3792c8264dfc42ace87ca0d25d79fdc2db2b110e83b525df655
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5C5A92DB-B280-11EE-9A4E-DE9D3A49EF0E}.dat
Filesize4KB
MD5c0de8f18b003472c1ce957c52b83c282
SHA1f8948b80d2eef030ab2c9344ed816ddd72fad245
SHA2564e473075dd4cd9c569a55a7b09f361e818cc228edfc5f587ca96651c90cc4a39
SHA5122badb7581b52ca75d78c9d6364339253a4a43416efde1a832c6fc4ef1a72059b3ccea86a05d6723ab49377869a32fac13b7d57310ad9dbb017590c53bb1c6f54
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5C5F5721-B280-11EE-9A4E-DE9D3A49EF0E}.dat
Filesize5KB
MD5186ecc03ea7b20a17065b939c806eff6
SHA11a4f4d6f11c40053b3490b398c9033467e9cf3f4
SHA256dd8302fd8bbf21a86bb3b71079b12f535efd74dcfc46c378d8394deb89c63bd6
SHA512c9db12baafd2b22ad5b5ae90a469a722af82da9597e381b64bf828d08b3f6f0208237e40a22875989f11f4b2be570307bacd151fb6d4af42f10ca1f56fb15451
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
95KB
MD5f8a6e7529ad1b00a18c6ca2702521471
SHA12cadb00ca99be622623dc78095f594bedfec7534
SHA256ce8e07cec9c3857f48e20916c65413335ab480b0c3d70345e98147b2ff7b8de6
SHA512e1c3f164aa58360e4b664341ddea907fe990fa93de6f1e98b4fe87bf713e62b50191d738afc5591ead628f6f58dead74d78d26267ac03079f96bcb85b93ce2f7